Skip to content

SCIM Server User-Provisioning

Contact Privacera Support to request enabling this feature.

PrivaceraCloud can be configured to use the System for Cross-Domain Identity Management (SCIM) 2.0 protocol.

This allows external management and synchronization of your PrivaceraCloud data access users and groups.

After you connect your Identity Provider to your PrivaceraCloud account via SCIM, data user attributes and group memberships are managed in the Identity Provider, not in PrivaceraCloud.

Data access users, groups, and roles can still be added in PrivaceraCloud, but users, groups, or roles created in PrivaceraCloud are not synchronized back to the Identity Provider.

SCIM server user provisioning does not apply to portal users (those who login to the portal).

Enable SCIM Server in PrivaceraCloud#

  1. In your PrivaceraCloud account, navigate to Settings > Datasource

  2. Choose UserSync.

    <img src="../assets/scim_image8.png" style="width:100%; height:auto;" />

  3. Enter a name to identify the connector. Click Next.

    <img src="../assets/scim_image2.png" style="width: 100%; height: auto" />

  4. Copy the Endpoint URL.
    Enter a value for Username and Password. Save all three values: Endpoint URL, Username, and Password values as they will be used by your SCIM Client or Okta SCIM Client.

    Click Next.

    <img src="..assets/scim_image10.png" style="width: 100%; height: auto" />

  5. Users or groups specified in Inclusions are added to filters. Specify any user or group Exclusions and click Next.

    <img src="../assets/scim_image6.png" style="width: 100%; height: auto" />

  6. Base User Attributes maps identity attributes in the SCIM payloads to Privacera data access user attributes.

    • On the right the source fields for PrivaceraCloud users.

    • These value can be available from your Okta or other identity provider.

    <img src="..assets/scim_image4.png" style="width: 100%; height: auto" />

Okta Identity Provider Integration#

For Okta SCIM client operations supported by PrivaceraCloud, see Supported Okta SCIM Client Operations.

Prerequisites#

  1. Obtain user provisioning functionality for your Okta account. For details, see Okta Lifecycle Management.

  2. Resolve group name conflicts before syncing to your PrivaceraCloud account. Rename groups that have the same name in your identity provider and in your PrivaceraCloud account.

Recommendation: Before integrating your production users and groups, create a test account and group in Okta, such as privacera-test-users, and use those test values to confirm integration. When you are satisfied with the results, repeat the process using live production users and groups.

Integration Steps#

Step 1. Enable SCIM API Integration in Okta#

Be sure you have the Endpoint URL and the username and password you specified from Enable SCIM Server in PrivaceraCloud.

  1. Log in to Okta and add the PrivaceraCloud application.

  2. From the application, click the Provisioning tab.

  3. Click Configure API integration.

  4. Select Enable API integration.

  5. Enter the Endpoint URL that was generated for you, and the Username/Password you provided in your PrivaceraCloud account in Enable SCIM Server in PrivaceraCloud.

  6. Click Test API Credentials. If the test passes, click Save.

  7. Under Settings, click To App.

  8. Click Edit and select Enable for desired options.

    Use this step to map user attributes or leave them with default settings.

  9. Click Save to apply the integration settings.

Step 2: Activate application features#

  1. From the application, click the Provisioning tab.

  2. Click Edit.

  3. Click the Enable checkbox for Create Users and Update User Attributes.

  4. Click Save

<img src="../assets/OktaSCIM-Step2-Activate-features" />

Step 3. Verify Email Addresses#

User provisioning in Okta relies on an email address to identify a user in PrivaceraCloud and consequently create or update a Privacera Cloud account. If the email address attribute for a user is inconsistent between the SAML SSO setting and the SCIM user provisioning setting in Okta, the user might end up with duplicate PrivaceraCloud accounts.

To avoid duplicate accounts, verify the email address attribute that maps to a user account is correct and used for both SAML SSO and SCIM user provisioning:

  1. From the User provisioning tab in Okta, note the field that maps to the Primary email attribute. The default is email, as shown below. <img src="../assets/OktaSCIM-Step3-Verify-mapping

  2. Click the Sign on tab. From the Credentials details section, look for the Application username format setting. Okta passes this field from a user's account as the SSO email address when creating or linking an account.

    If Application username format specifies an old value (for example, the old email address is user1OLD@example.com for the specified attribute) but you have another attribute that stores the same user's email address user1NEW@example.com, the user might end up with duplicate accounts. Troubleshoot as follows: - Before you complete this step, ask the user to log in with their PrivaceraCloud account at least once. - If the user still ends up with duplicate accounts, contact PrivaceraCloud support with the user's email addresses.

  3. Make sure the Application username format is set to the same attribute specified as Primary email in the previous step.

  4. Make sure that Update application username is set to Create and update. Click Save to apply your changes.
  5. Click Update Now to push the change faster than the Okta automatic update.

Step 4. Push Groups#

Privacera recommends using the group synchronization feature to automatically manage user privileges and licenses from your directory, instead of manually managing these from the organization.

This section describes how to configure group-based management.

Pushing a group to your PrivaceraCloud account pushes only the detail about the group, not the detais about the users who are part of the group.

  1. In Okta, click the Push Groups tab and then By name.

    Select the group name, and click Save.

    <img src="../assets/OktaSCIM-Step4-Push-Groups" />

  2. Review to make sure all desired groups have been pushed.

Step 5. Assign Users to the PrivaceraCloud Application in Okta#

  1. In Okta, click the Assignments tab of the PrivaceraCloud application. <img src="../assets/OktaSCIM-Step5-Assignments" />

  2. Click Assign, then Groups. Select the group to assign.

  3. In the displayed dialog, these default values are used only if the user profile does not have them. All fields are optional.

    When you are done with this step, click Save and Go Back.

  4. In PrivaceraCloud, to verify that users and groups are synced, navigate to Access Manager -> Users Groups and Roles.

Step 6. Write a Policy for Provisioned Users or Groups#

Create a data access policy for the provisioned users or groups through PrivaceraCloud to finalize the integration verification.

  1. From your PrivaceraCloud Account, navigate to Access Management -> Resource Policies.

  2. Select an application to write a policy over, such as Privacera Hive.

  3. Click Add Policy and enter the details as shown below.

  4. Verify the policy is in effect in your downstream application. <img src="../assets/scim_image7.png" style="width: 100%; height: auto" />

Supported Okta SCIM Client Operations#

User Operations#

The Privacera SCIM Server supports the following operations:

Operation Notes
Create new user A data access user is created in PrivaceraCloud Access Management -> Users. This account cannot be edited directly in PrivaceraCloud.
Link an existing user If a user already exists in your PrivaceraCloud Account, it is automatically linked to the user in Okta. This account can no longer be edited directly in PrivaceraCloud.
Update user details In PrivaceraCloud, you can update the display name and email address user attributes from your identity provider.

By default, a user's first and last names are combined to create the Display name. If Any display name entered in PrivaceraCloud overwrites the first and last name combination.
Deactivate user Deactivate is also sometimes called "soft delete".

Deactivation has the following effects:
  • The user is marked as hidden.
  • The user is removed from all groups.
Important: the Privacera administrator must manually remove the deactivated user from all user-based policies.

If your policies are based on groups (not specific users), no changes to policies are needed, because the user has been removed from the groups. You need to manually change a policy only if the user is explicitly named in it.
Delete user Delete the user manually in PrivaceraCloud.

Group Operations#

Groups created manually and by default (for example, public) in your PrivaceraCloud account cannot be managed via SCIM.

You can only manage groups synced from Okta via SCIM.

Operation Notes Troubleshooting
Create group The group is created as an read-only external group in PrivaceraCloud.
Update group membership PrivaceraCloud external data access users in your PrivaceraCloud account are modified to support the group membership changes reflected in this SCIM operation. If a synced group is empty, when pushing a group, make sure that the synchronized group does not have the same name as a default or manually created group in PrivaceraCloud.
Push group An error will result if the group name already exists in your PrivaceraCloud account. For example, the group named "public" might conflict. In your identity provider, rename the conflicting group with a name different from the PrivaceraCloud built-in group name and attempt to re-sync.
Delete group Manually delete the user account in PrivaceraCloud. Not implemented via SCIM

SCIM Server API#

SCIM 2.0 clients can also connect directly with the Privacera SCIM Server via the REST API.

Follow the steps in Enable SCIM Server in PrivaceraCloud to obtain the direct URL, username, and password.

Use Basic Authentication (base64 encoded username and password) to authenticate each API request.
Refer to the SCIM 2.0 Specification for specific protocol and call schemas.

Supported SCIM REST API Requests#

PrivaceraCloud supports the following requests:

GET - /Users
    - Params
        - startIndex
        - count
        - filter (Supports single filter for ‘eq’ operator on the following attributes: userName, givenName, firstName, active)

GET - /Users/{userId}

POST - /Users
    - Params
        - user (SCIM User JSON)

PUT - /Users/{userId}
    - Params
        - user (SCIM User JSON)

GET - /Groups
    - Params
        - startIndex
        - count
        - filter (Supports single filter for ‘eq’ operator on the following attributes: displayName)

GET - /Groups/{groupId}

POST - /Groups
    - Params
        - group (SCIM Group JSON)

PATCH - /Groups/{groupId}
    - Params
        - operations  (SCIM Operation list)   Supported Operations: 
                                op: replace
                                path:members
                                value:[{value: userId} … ]

                                op: remove
                                path: members[value eq “userId”]

                                op: add
                                path: members
                                value: [{value:userId} … ]  

Last update: August 30, 2021